Enterprise compliance

PixelProof is local-first, but it should not pretend to be an audited enterprise platform.

This page is intentionally explicit for buyers and security teams: what is strong today, what is only a product design claim, and what still needs formal validation before regulated or enterprise-wide rollout.

Buyer-safe summary

Use PixelProof when no-upload browser processing is acceptable. Do not treat it as a certified compliance processor without your own legal, procurement, and security review.

Privacy whitepaper →Security model →

Image data

Local by design

Selected files are processed in the browser. The product does not provide cloud image storage or remote rendered outputs.

Temporary state

Browser-scoped

Saved setups and cross-tool handoff state use local browser storage such as localStorage and IndexedDB.

Analytics

Route-level only

Analytics should be treated as product usage telemetry, not content inspection. Image pixels are outside the intended event model.

Formal attestations

Not claimed

This site does not currently claim SOC 2, ISO 27001, HIPAA, PCI, or a signed DPA. Teams requiring those should run their own review before adoption.

Security review prompts

Questions a serious buyer should answer before adoption.

Does your policy allow browser-only processing for the image class being handled?

Do users need a signed vendor agreement, or is a no-account browser tool acceptable?

Should analytics be disabled or proxied in your deployment environment?

Do your files contain regulated data that requires formal processor agreements even if the file is not uploaded?